The Disconnect Between Understanding and Behavior: How to Accurately Measure and Change Behavior
Survey after survey indicate that the general public’s understanding of simple cybersecurity hygiene concepts, such as using strong passwords, is fairly good. Pew Research Center found that the majority of people know what a strong password is. Yet, their behaviors show otherwise. This presents critical challenges if you want to accurately measure your security culture in order to reduce business and operational risk.
Common practices to measure employee behavior currently includes training completion, phishing metrics and surveys. This is not a comprehensive approach to truly understanding your company’s security posture. For example, if a doctor only chose a few behaviors to fully determine the health of an individual, it could be detrimental to their health. A security awareness program is no different. In order to understand the strengths and weaknesses of an individual we have to take all of their security behaviors into account beyond the basics. Surveys can be a good tool to measure perceptions and knowledge of a concept but not actual behavior – it’s their behavior that strengthens or weakens your cybersecurity posture.
More often than not, what people say they do and what they actually do are very different. There is a reason why insurance companies use metrics such as age, driving history and tracking driving habits to determine true behavior. Allstate conducted a study and found that most people considered themselves “excellent” or “very good” drivers, yet behaviors show otherwise. There are several reasons why this happens – people are unaware of their actions, they are afraid of the consequences or they simply guessed the answer. If insurance companies charged rates based on drivers’ perspectives and self-assessment surveys our experiences on the road would be completely different.
If you want to accurately assess which employees are top performers and who your stragglers are, you must establish impactful baseline metrics for all of the behaviors you want to influence. This information will inform how your behavior change program is working and how to improve it.
Here are a handful of ways to collect measurements on your key security behaviors:
- Use existing data streams to collect:
- Incident response metrics
- Vulnerability metrics
- Patching of systems
- Phishing click-through
- Reporting rates
- Point in time assessment such as floor sweeps, printer checks, whiteboards checks, unlocked computers
- A/B testing: A method of comparing two groups against each other to determine which one performs better.
The A/B approach is particularly impactful in testing the effectiveness of training of a specific topic. If the training focuses on phishing and reporting, you should find that alumni of training are outperforming non-participants on the target behavior. For example, with Hacker’s Mind, our security behavior change training, companies typically see:
- 40% fewer user-generated incidents
- 50% less successful phishing attacks
- 82% more employee reporting
Measure your ongoing impact and adjust accordingly
Decide on a regular interval at which you’ll measure how these metrics change and (hopefully) improve over time. Whether monthly, quarterly or semi-annually, keep measurements at consistent intervals.
If you would like to dig deeper into this topic we’ve developed a guide, “Fantastic Metrics and Where to Find Them.” In this guide, we’ll show you how to leverage metrics to build a successful security behavior change program, including:
- What metrics to use for goals to measure how and when your employees’ security behavior improves
- The systems and software your company may use where you can source those metrics
- How to verify or test the data from those sources
About the Author:
Co-Founder and Chief Product Officer at Elevate Security
Masha Sedova is an industry-recognized people-security expert, speaker and trainer focused on engaging people to be key elements of secure organizations. She is the co-founder of Elevate Security, delivering the first people-centric security platform that leverages behavioral-science to transform employees into security super-humans. Before Elevate Security, Masha Sedova was a security executive at Salesforce where she built and led the security engagement team focused on improving the security mindset of employees, partners and customers. In addition, Masha has been a member of the Board of Directors for the National Cyber Security Alliance and regular presenter at conferences such as Blackhat, RSA, ISSA, Enigma and SANS.